Show Notes: selfhosted.show/37

The post Security Growing Pains | Self-Hosted 37 first appeared on Jupiter Broadcasting.

The Hacking Team fallout continues with more zero day patches you need to install, a new attack against RC4 might finally kill it & how to save yourself from a DDoS attack.

Plus a great batch of your questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Hacking Team fallout includes more Flash patches

• After a number of flash 0-days were found in the data stolen from “Hacking Team”, there has been a mad dash to fix the vulnerabilities before they are actively exploited further
• This resulted in nearly back-to-back Adobe Flash updates, confusing some users who thought they had already patched for the vulnerabilities
• Additional Coverage: Krebs
• Adobe Bulletin – July 8th, released 18.0.0.203
• Adobe Advisory – July 10th, Upcoming patch
• Adobe Bulletin – July 14th, released 18.0.0.209
• This has started quite a few conversations about Flash
• Facebook CSO wants Adobe to announce an EOL date for flash ~18-24 months from now
• Mozilla has taken the unusual step of disabling flash by default requiring click to activate
• Additional Coverage: BBC

New attack against RC4 cipher might finally kill it

• RC4 is one of the oldest ciphers still used as part of HTTPS
• It was often selected for its lower CPU overhead, but as processors got faster and ssl terminators offloaded the work, this became less of a reason to use RC4
• It looked like RC4 would finally die, but then attacks against SSL/TLS that only affected block ciphers emerged: BEAST, Lucky 13, and POODLE
• This propelled RC4 back up the priority list
• RC4 is also the most compatible cipher, older systems that do not support stronger crypto, all have RC4
• RFC 7465 proposed by Microsoft and others, was approved by the IETF and requires that RC4 not be used
• Researchers have presented a new paper at the USENIX Security conference that details a new attack against RC4
• RC4 is still widely used for HTTPS and also for some types of WiFi
• The flaw allows the attacker to steal cookies and other encrypted information in your HTTPS session
• This might allow the attack to impersonate / login as you on the site. Posting to your Twitter account, or initiating a transfer from your PayPal account.
• “The research behind the attack will be presented at USENIX Security. Summarized, an attacker can decrypt a cookie within 75 hours. In contrast to previous attacks, this short execution time allows us to perform the attack in practice. When we tested the attack against real devices, it took merely 52 hours to successfully perform the attack”
• “When the victim visits an unencrypted website, the attacker inserts malicious JavaScript code inside the website. This code will induce the victim to transmit encrypted requests which contain the victim’s web cookie. By monitoring numerous of these encrypted requests, a list of likely cookie values can be recovered. All cookies in this list are tested until the correct one is found.”
• Attack Method:
  • Step 1: Attacker injects code into victims HTTP stream, causing them to make known requests to a secure site with their cookie
  • Step 2: Attacker captures the encrypted requests going to the site secured with RC4
  • Step 3: Attacker computes likely cookies and tries each one until they successfully guess the correct cookie
  • Step 4: Profit, empty the bank account
• “To successfully decrypt a 16-character cookie with a success probability of 94%, roughly 9⋅2^27 encryptions of the cookie need to be captured. Since we can make the client transmit 4450 requests per seconds, this amount can be collected in merely 75 hours. If the attacker has some luck, less encryptions need to be captured. In our demonstration 52 hours was enough to execute the attack, at which point 6.2⋅2^27 requests were captured. Generating these requests can even be spread out over time: they do not have to be captured all at once. During the final step of the attack, the captured requests are transformed into a list of 2^23 likely cookie values. All cookies in this list can be tested in less than 7 minutes.”
• “In the paper we not only present attacks against TLS/HTTPS, but also against WPA-TKIP. Our attack against WPA-TKIP takes only an hour to execute, and allows an attacker to inject and decrypt arbitrary packets.”
• How does this compare to previous attacks? “The first attack against RC4 as used in TLS was estimated to take more than 2000 hours”
• Paper: All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS

Feedback:

• Anybody got recommendation for a DDoS protection service?
  • EuroBSDCon 2013 – Mitigating DDoS Attacks at Layer 7

• Wi-fi security

• Internet routing

• Linux Compatible KVM Crash Cart Adapter

Round Up:

• Pawn Storm APT group using first new Java 0-day exploit in 2 years
• Pawn Storm APT group adds TrendMicro IPs as C&C servers, no one is sure why. Could be DDoS, to get IPs blacklisted, etc
• Facebook security lead wants Adobe to say when it’s killing Flash
• HD Moore interview on the Social Engineering podcast
• FBI used Hacking Team services to unmask Tor user
• Netflix: Tracking Down Villains, finding servers that have more errors than their peers
• Shocking: Software Used To Monitor UK Students Against Radicalization Found To Be Exploitable
• Defender’s Dilemma vs Intruder’s Dilemma

The post A Bias to Insecurity | TechSNAP 223 first appeared on Jupiter Broadcasting.

We sit down with Jim Brown from the BSD Certification group to talk about the BSD exams. Following that, we\’ll be showing you how to build OpenBSD binary packages in bulk, a la poudriere. There\’s a boatload of news and we\’ve got answers to your questions, coming up on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan schedule, speakers and talks

• This year\’s BSDCan will kick off on May 14th in Ottawa
• The list of speakers is also out
• And finally the talks everyone\’s looking forward to
• Lots of great tutorials and talks, spanning a wide range of topics of interest
• Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts

NYCBSDCon talks uploaded

• The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
• Jeff Rizzo\’s talk, \”Releasing NetBSD: So Many Targets, So Little Time\”
• Dru Lavigne\’s talk, \”ZFS Management Tools in FreeNAS and PC-BSD\”
• Scott Long\’s talk, \”Serving one third of the Internet via FreeBSD\”
• Michael W. Lucas\’ talk, \”BSD Breaking Barriers\”

FreeBSD Journal, issue 2

• The bi-monthly FreeBSD journal\’s second issue is out
• Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
• In less than two months, they\’ve already gotten over 1000 subscribers! It\’s available on Google Play, iTunes, Amazon, etc
• \”We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD\”
• Check our interview with GNN for more information about the journal

OpenSSL, more like OpenSS-Hell

• We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
• There\’s been a pretty vicious response from security experts all across the internet and in all of the BSD projects – and rightfully so
• We finally have a timeline of events
• Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
• pfSense released a new version to fix it
• OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
• Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
• A nice quote from one of the OpenBSD lists: \”Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL\’s bug tracker is only used to park bugs, not fix them\”
• Sounds like someone else was having fun with the bug for a while too
• There\’s also another OpenSSL bug that\’s possibly worse that OpenBSD patched – it allows an attacker to inject data from one connection into another
• OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out – we\’re seeing a fork in real time (over 55000 lines of code removed as of yesterday evening)

Interview – Jim Brown – info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

• Back in episode 23 we talked with Ted Unangst about the new \”signify\” tool in OpenBSD
• Now there\’s a (completely unofficial) portable version of it on github
• If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
• Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems

Foundation goals and updates

• The OpenBSD foundation has reached their 2014 goal of $150,000
• You can check their activities and goals to see where the money is going
• Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
• The FreeBSD foundation has kicked off their spring fundraising campaign
• There\’s also a list of their activities and goals available to read through
• Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet

PCBSD weekly digest

• New PBI runtime that fixes stability issues and decreases load times
• \”Update Center\” is getting a lot of development and improvements
• Lots of misc. bug fixes and updates

Feedback/Questions

• There\’s a reddit thread we wanted to highlight – a user wants to show his friend BSD and why it\’s great
• Brad writes in
• Sha\’ul writes in
• iGibbs writes in
• Matt writes in

• All the tutorials are posted in their entirety at bsdnow.tv – there\’s a couple new ones on the site now that we\’ll be covering in future episodes
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
• If you\’re in or around Colorado in the US, there\’s a brand new BSD users group that was just formed and announced – they\’ll be having meetings and doing tutorials, so check out their site (also, if you have a local BUG, let us know!)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Certified Package Delivery | BSD Now 33 first appeared on Jupiter Broadcasting.